swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
1 edit | reply to dolphins
Re: Windows Explorer bypasses router password
I'm coming to this late, but just want to say that the problem did not occur on Windows 2000 SP4 with "separate process" unchecked, upnp disabled, and the options set to never save any data (passwords, form data, autocomplete). This agrees with dolphins' surmise that it's XP only.
@dolphins and planet, untrusted LAN users can be a concern even if this is not exploitable from the WAN side.
said by jbob  :One of the things I discovered using FireFox with multiple tabs open is that once you log in to a site that requires a login name/password unless you completely close all the tabs and Firefox itself it will remember the login name and password for each site entered. Example: If I have Firefox open with two tabs, one on DSLR and one on Yahoo Mail, if I close the tab to DSLR and then open a new tab and go back to DSLR I will not be asked to login again. Same with Yahoo Email. As long as one instance of my browser remains open it will retain that info.
When you login to DSLR for example, if you have the option set to not store passwords or other form data, Firefox obeys your setting and does not retain the login or password. The reason you stay logged in is that upon login you pick up a cookie which contains a token generated at your login, and that cookie gets checked at each subsequent page load. At least some routers use this method too. Mine for example is a Netgear and uses the cookie method.
The OP's issue, and the same as encountered by others, is Windows retaining credentials and maybe also a non-cookie token.
-------
If the login credentials or token are stored other than by a cookie, this indicates that the router uses a proprietary Windows login method rather than a web-standard method, correct?
Also, the "separate process" setting is a workaround; it doesn't mean the behavior is not a bug. Windows' retaining the credentials even when told not to is a defect. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to jack b
Re: This stinks
said by jack b :Thanks to dolphins, for posting about this in the first place, and also to BandHeight, for posting the fix to an obscure and potentially sensitive issue. I say cheers to that and yes, A round of applause for BandHeight for having the ability to see what others did not. I know first hand how hard it is to diagnose someone else's computer problems without having physical access.
I went through my folder options a dozen times but saw nothing that would solve this problem as I'm sure most of the people trying to solve this did. I consider this to be a another Microsoft flaw as I need to know the reasoning why this is unchecked by default?
--
Prevent Malware |
|
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs:
·Comcast
| reply to dolphins
Thanks to dolphins, for posting about this in the first place, and also to BandHeight, for posting the fix to an obscure and potentially sensitive issue.
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to BandHeight
Thanks for the follow up. You are now one of my close friends whether you like it or not. 
--
Prevent Malware |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to dolphins
said by dolphins :BINGO! We have a winner! Thank You Thank You Thank You  Edit: The only thing now is how did mine get unchecked? You're welcome.
By the way, Jack B is correct that default is "unchecked". My intent, though not clear, by saying "as I always have it set" was to let you know that I actually set the option.
As to why everyone else here seems to have the setting changed from default: it is a fairly common and often recommended tweak. However, the reason usually cited for the recommendation is that it decreases the chances of a crashed Explorer window taking down the entire system because each instance of Explorer (with the option checked) is opened in a separate process as should be clear from the option's name. However, as you have found out and as can be easily imagined , the issues that can be caused by the default setting are more wide ranging. |
|
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs: | reply to dolphins
YUP.
Checking that stopped the "feature".
Seems unchecked IS default setting. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
2 edits | reply to BandHeight
BINGO! We have a winner!
Thank You Thank You Thank You
Edit: The only thing now is how did mine get unchecked? |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to dolphins
If I uncheck:
Windows Explorer->Tools->Folder Options->View->
Launch Folder Windows In A Separate Process
I can recreate your issue (no user / password prompt). However, with the setting checked (as I always have it set), the prompt occurs each time Windows Explorer is used to launch the router administration page (D-Link router). |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
2 edits | reply to dolphins
Probably not, but try with another router or connect another comp? I think there would be many more people able to confirm you finding if it was just windows.
edit@ It is the combination of Explorer and IE (i use Firefox usually). I have accessed the router with IE and then followed with explorer. This time it displayed both the user name and password populated and i all i have to do is press ok and now it remembers the setting even though i didn't click the remember the password. If i close IE explorer is challenged on subsequent tries
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to Cudni
No it's not a router feature it's a windows feature. jack_b is running a D-Link router and has the same problem.
That's why I can't understand why no one else has this problem.
--
Prevent Malware |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to jbob
Re: Windows Explorer bypasses router password
said by jbob :This are my results. 1st I'm not sure one can separate Windows Explorer from Internet Explorer. From my feeble memory I seem to remember one of the features programmed into Explorer was to be able to Explore/Browse a network similar or even via HTTP which is why the two are almost inseparable. If you type in a web link in Windows Explorer it will bring up the Web browser and take you to the site. You are correct. Windows Explorer opens IE when an web address or IP is typed into address bar but the problem we are having is that even after closing all windows we can still enter router without being prompted for password.
The only thing I can think is that me and jack_b have something running that keeps Windows open? I thought it might have been WallWatcher but I removed it and still the same problem.
--
Prevent Malware |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to dolphins
Re: This stinks
They think of it as feature? I've got 2 browsers accessing the router from same machine and still explorer is challenged when it tries. Unless they change the firmware not much you can do except prevent explorer access with firewall.
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
1 edit | reply to jack b
Ok, Got a response from Linksys.com forums and it's pretty much what you did(rebooted)and what jbob is saying.
»forums.linksys.com/linksys/board···ue#M2576
quote:
As long as windows is running, windows explorer is running, too. If you enter the password once it remains cached until windows is rebooted. It is the same with internet explorer: as long as one internet explorer window remains open the password entered before remains cached. You have to close all internet explorer windows (ending iexplore.exe) before you have to enter it again. This is on purpose. Else you would have to enter the password again and again for all router pages.
Edit: I still can't see why this isn't happening to everyone? Is everybody but me and jack_b rebooting everytime they close windows?
--
Prevent Malware |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to dolphins
Re: Windows Explorer bypasses router password
All of you that can confirm the issue, do you have the same model router/firmware
BEFSR41 V3 Firmware Version: 1.05.00 as dolphins ? |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
| reply to dolphins
This are my results. 1st I'm not sure one can separate Windows Explorer from Internet Explorer. From my feeble memory I seem to remember one of the features programmed into Explorer was to be able to Explore/Browse a network similar or even via HTTP which is why the two are almost inseparable. If you type in a web link in Windows Explorer it will bring up the Web browser and take you to the site.
One of the things I discovered using FireFox with multiple tabs open is that once you log in to a site that requires a login name/password unless you completely close all the tabs and Firefox itself it will remember the login name and password for each site entered. Example: If I have Firefox open with two tabs, one on DSLR and one on Yahoo Mail, if I close the tab to DSLR and then open a new tab and go back to DSLR I will not be asked to login again. Same with Yahoo Email. As long as one instance of my browser remains open it will retain that info.
In my testing if I open IE and login to my router then close my browser fully it will ask every time. If I add my router web address to Windows Explorer it opens FireFox for me(my default browser) and again asks for login each time. But to get this to happen I have to make sure my browser is shutdown each time. If you leave your browser window(IE or FX in my case) open and have Windows Explorer open on top of it and enter the router IP again the browser will have retained the login info and not ask you to login again.
That is what I experienced. |
|
jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
clubs:
·Comcast
| reply to dolphins
This stinks
I thought I had it licked with a reboot, but once I successfully logged in to the router in IE, and then closed the browser, I opened windows explorer, pasted the address and went right in... no password challenge.
Trying again using IE, dialog box popped up, pre-filled in.
I DO NOT have auto complete or upnp service active!
--
~Help find a cure for Cancer~
~Proud Member of Team Discovery ~ |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to planet
Re: Windows Explorer bypasses router password
said by planet :Dolphins, I understand your concern. But, would this be an issue from the WAN side or only the LAN side? Ya gotta love a password protected software FW in cases like this. This could pose a real problem for business' if employees can access the router via Windows Explorer. An attack would have to come from the WAN in order to reach the LAN but a well written web page with intent to steal could bypass my router if I had no other security in place.
As for this being widespread I'm unsure cause only the 2 of us so far have been able to do this.
--
Prevent Malware |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to fcisler
One of the first things I did when I got this machine up and running was to disable UPnP. Also Since all I did was swap machines(old for new) on the router UPnP was already disabled in my router settings.
--
Prevent Malware |
|
speeddemon100
join:2001-02-18
West Hempstead, NY | reply to speeddemon100
On XP Home SP2, I can not duplicate dolphins issue. Like I said with Vista I have a Belkin Router - 192.168.2.1. Windows Explorer will prompt for password as well as IE6. |
|
speeddemon100
join:2001-02-18
West Hempstead, NY | reply to dolphins
Well I've been testing Vista for a while and it can't be duplicated here. (192.168.2.1)(Belkin) Typing this in Explorer launches internet explorer, and then prompts for password. |
|
